Cybersecurity researchers have identified a deceptive Google Chrome extension called Crypto Copilot, which secretly diverts small fees from Solana (SOL) transactions. According to a detailed investigation from the cybersecurity firm Socket, the extension injects hidden transfer instructions into every Solana swap, redirecting funds to an attacker-controlled wallet.
The extension has been listed on the Chrome Web Store since mid-2024 and masquerades as a trading aid that allows users to swap Solana tokens directly on X (formerly Twitter). It claims to provide “real-time insights and seamless execution,” but Socket’s team uncovered that it quietly deducts a hidden commission from every transaction.
Socket’s report stated,
“Crypto Copilot injects an extra transfer into every Solana swap, siphoning a minimum of 0.0013 SOL or 0.05% of the trade amount to a hardcoded attacker-controlled wallet.”
The tool presents itself as a legitimate convenience feature yet acts as a disguised fee skimmer that operates at the transaction layer.
How the malicious extension operates
Crypto Copilot integrates with well-known Solana wallets such as Phantom and Solflare, and it displays token data from DexScreener. When a user initiates a swap on Raydium, a Solana-based decentralized exchange, the extension secretly adds an extra instruction that triggers a second transfer of SOL to the attacker’s wallet.
Socket’s research explained that “users sign what appears to be a single swap, but both instructions execute atomically on-chain,” which conceals the unauthorized movement of funds. Because wallet confirmation screens summarize transactions without displaying each individual instruction, most victims remain unaware of the added transfer.
Behind the scenes, the extension’s code uses obfuscation techniques such as minification and variable renaming to hide the malicious functions. It connects to back-end domains including crypto-coplilot-dashboard.vercel.app, which registers connected wallets and collects user information. Another related domain, cryptocopilot.app, remains inactive.
The deceptive behavior makes Crypto Copilot difficult to detect during casual use, and its code appears intentionally structured to pass the Chrome Web Store’s review process. Socket noted that “the surrounding infrastructure appears designed only to pass Chrome Web Store review and provide a veneer of legitimacy while siphoning fees in the background.”
Ongoing exposure and limited user base
Despite being online for months, the extension remains available for download. As of its discovery, it had fewer than 20 known installations, but the cumulative losses for traders could be extensive because the extension operates by taking fractional amounts on each transaction. Frequent users are the most exposed.
Crypto Copilot’s description on the Chrome Web Store emphasizes speed and simplicity, claiming to allow users to “act on trading opportunities instantly without the need for switching between apps or platforms.” This marketing language has misled users into installing the tool without realizing that it introduces unauthorized transfers.
Socket has submitted a formal complaint to Google and requested immediate removal of the extension. The company said that the malicious extension appeared on June 18, 2024, under the user account “sjclark76,” and that the obfuscated code indicates it was designed for durability rather than short-term exploitation.
A broader pattern of crypto-related browser threats
Crypto Copilot is the latest example of a growing series of malicious Chrome extensions targeting digital asset investors. Earlier this year, Socket identified another fraudulent wallet extension that actively drained user funds. In August, the decentralized exchange aggregator Jupiter reported discovering a malicious Chrome plugin that emptied Solana wallets, while in June a Chinese trader reportedly lost $1 million to a similar scam involving another Chrome extension named Aggr.
Socket warned that these incidents demonstrate an expanding threat landscape within browser-based crypto tools.
“Because this transfer is added silently and sent to a personal wallet rather than a protocol treasury, most users will never notice it unless they inspect each instruction before signing,” researcher Kush Pandya said.
The firm emphasized that the case shows the need for stronger oversight of browser extensions that interact with wallets. Chrome’s open extension model remains a recurring entry point for malicious code.
Researchers urge caution for Solana traders
Socket advised Solana traders to remain cautious when granting browser wallet permissions and to verify the integrity of any extension used for crypto trading. The company warned that cumulative hidden deductions can accumulate over time, resulting in significant unnoticed losses.
The firm also reminded users that legitimate blockchain transactions should always be reviewed in detail before signing. Cybersecurity analysts believe that the Crypto Copilot case underscores the importance of stronger security vetting in app store ecosystems and greater attention to transaction-level transparency.
Anastasiia G
Disclaimer: All materials on this site are for informational purposes only. None of the material should be interpreted as investment advice. Please note that despite the nature of much of the material created and hosted on this website, HODL FM is not a financial reference resource, and the opinions of authors and other contributors are their own and should not be taken as financial advice. If you require advice. HODL FM strongly recommends contacting a qualified industry professional.
